Re: [Pdns-users] Different RRSIG's on master and slaves
I did some other tests, and the fix for this problem seems to be to delete the records for the domain in the cryptokeys table on the slave servers, and after that update the serial. Is there a way to force this using the pdnssec or pdns_control tools from the master server? Regards, Marc -- View this message in context: http://powerdns.13854.n7.nabble.com/Different-RRSIG-s-on-master-and-slaves-tp10349p10357.html Sent from the PowerDNS mailing list archive at Nabble.com. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Hello! My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html But seeing that my ISP's position of we'll use what's default in the LTS is kind of reasonable, I thought it might be worth asking here on pdns-users@ anyway: I've set up a master DNS using BIND 9.8 (sorry guys, it's not that I have anything against PowerDNS, BIND is just a better choice for me personally here ;-) and DNSSEC signed my zone using RSA/SHA-1 keys: http://dnssec-debugger.verisignlabs.com/roubert.net (As far as I can tell, it's all fine. I've also whitelisted my ISP's server for zone transfers, and transferring other zones, that aren't using DNSSEC, between the same two servers works just fine.) Transferring this DNSSEC signed zone, however, leads my ISP's PowerDNS to log error messages like this: Sep 25 10:01:07 ns5 pdns[27445]: Unable to parse record during incoming AXFR of 'roubert.net' (MOADNSException): Can't deal with multi-part NSEC mappings yet So this is clearly something in PowerDNS 3.0 that was fixed in 3.1: http://wiki.powerdns.com/trac/changeset/2590 http://doc.powerdns.com/html/changelog.html#changelog-auth-3-1 But what does it mean? What exactly is it in my configuration that makes PowerDNS 3.0 unable to handle it? Is it something I could change to make PowerDNS 3.0 play along as a slave server? Cheers // Fredrik Roubert -- Forsterstrasse 64 | +41 78 8170377 CH-8044 Zürich | http://www.df.lth.se/~roubert/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Hello Frederik, On Sep 25, 2013, at 10:49 , Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html Yes. This is not the only issue you will run into, and other issues may be more subtle. Transferring this DNSSEC signed zone, however, leads my ISP's PowerDNS to log error messages like this: Sep 25 10:01:07 ns5 pdns[27445]: Unable to parse record during incoming AXFR of 'roubert.net' (MOADNSException): Can't deal with multi-part NSEC mappings yet So this is clearly something in PowerDNS 3.0 that was fixed in 3.1: http://wiki.powerdns.com/trac/changeset/2590 http://doc.powerdns.com/html/changelog.html#changelog-auth-3-1 But what does it mean? What exactly is it in my configuration that makes PowerDNS 3.0 unable to handle it? Is it something I could change to make PowerDNS 3.0 play along as a slave server? The only reason we've seen these multi-part mappings in practice is when BIND stores auto-signing metadata in private records with high TYPE numbers. You may be able to get rid of these by changing your BIND configuration - I'm not sure. If that's not it, check your zone file for any lines containing TYPE in uppercase, or any entry over 255 in http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ signature.asc Description: Message signed with OpenPGP using GPGMail ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Different RRSIG's on master and slaves
I wonder why there are cryptokeys in the slave at all. What kind of setup do you use? Online-signing on the master and pre-signed on the slaves? klaus On 25.09.2013 09:53, mvdgeijn wrote: I did some other tests, and the fix for this problem seems to be to delete the records for the domain in the cryptokeys table on the slave servers, and after that update the serial. Is there a way to force this using the pdnssec or pdns_control tools from the master server? Regards, Marc -- View this message in context: http://powerdns.13854.n7.nabble.com/Different-RRSIG-s-on-master-and-slaves-tp10349p10357.html Sent from the PowerDNS mailing list archive at Nabble.com. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
On Wed, 25 Sep 2013 10:49:39 +0200, Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html But seeing that my ISP's position of we'll use what's default in the LTS is kind of reasonable Sorry, but that position doesn't sound reasonable to me as pdns-server is only part of universe in Ubuntu, so it's not officially supported by Canonical. Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html But seeing that my ISP's position of we'll use what's default in the LTS is kind of reasonable, IMO it's nonsense to rely on a distribution package in case the upstream developers strongly discourage a release for a certain usage. You should really discuss this with your ISP even if you manage to work-around the current problem. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
On Wed 25 Sep 11:00 CEST 2013, Peter van Dijk wrote: If that's not it, check your zone file for any lines containing TYPE in uppercase, or any entry over 255 in http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 Ah, thank you, this is interesting. My zone file has TYPE65534 records, which are part of BIND's Fully automatic zone signing process: ftp://ftp.isc.org/isc/bind9/9.9.4/doc/arm/Bv9ARM.ch04.html#id2563513 Are you saying that PowerDNS 3.0 is failing on these TYPE65534 records? If so, then that's case closed for it wouldn't be possible to get rid of them without also saying good-bye to automatic zone signing. Cheers // Fredrik Roubert -- Forsterstrasse 64 | +41 78 8170377 CH-8044 Zürich | http://www.df.lth.se/~roubert/ signature.asc Description: Digital signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Hello Fredrik, On Sep 26, 2013, at 2:46 , Fredrik Roubert wrote: On Wed 25 Sep 11:00 CEST 2013, Peter van Dijk wrote: If that's not it, check your zone file for any lines containing TYPE in uppercase, or any entry over 255 in http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 Ah, thank you, this is interesting. My zone file has TYPE65534 records, which are part of BIND's Fully automatic zone signing process: ftp://ftp.isc.org/isc/bind9/9.9.4/doc/arm/Bv9ARM.ch04.html#id2563513 Are you saying that PowerDNS 3.0 is failing on these TYPE65534 records? If so, then that's case closed for it wouldn't be possible to get rid of them without also saying good-bye to automatic zone signing. PowerDNS is failing on the NSECs related to these records. So, in short, yes. Again - please don't use 3.0 for DNSSEC. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ signature.asc Description: Message signed with OpenPGP using GPGMail ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
